<!DOCTYPE html>
<html>
<head>
  <title>Installation Guide - Linux - CVE-Search</title>

  <meta charset="utf-8">

  <link href="./css/style.css" rel="stylesheet" />
</head>
<body>
<h1>Installation procedure for CVE-Search on Linux</h1>
<p>
  This page describes the installation procedure for CVE-Search on Linux.
  This installation procedure is written for Ubuntu, but will work on most other distributions.
  In this guide, we assume you are using <span class="code">apt</span> as your package manager.
  If you are using a different one, install the requirements using your package manager of choice
</p>
<h2>Requirements</h2>
<p>
  In order to install CVE-Search, you will need approximately 3 to 4GB of free disk space, as well as root or administrator access to the machine you want to install it on.
  There is no minimum requirements regarding CPU or memory, but slower systems will have a longer load time.<br />
  <br />
  CVE-Search requires the packages you find below in order to function.
<table>
  <thead>
  <tr><td>Package</td> <td>Installation</td></tr>
  </thead>
  <tr><td>Python3</td> <td><span class="code">sudo apt-get install python3</span></td></tr>
  <tr><td>MongoDB</td> <td><span class="code">sudo apt-get install mongodb</span></td></tr>
  <tr><td>Redis Server</td> <td><span class="code">sudo apt-get install redis-server</span></td></tr>
  <tr><td>PIP3</td> <td><span class="code">sudo apt-get install python3-pip</span></td></tr>
</table>
<br />
After installing these packages, you need to install some python modules using PIP3.
These modules are all in the requirements.txt file, and can be easily installed using <span class="code">sudo pip3 install -r requirements.txt</span><br />
<ul>
  <li>PyMongo</li>
  <li>Flask</li>
  <li>Flask-pymongo</li>
  <li>Flask-login</li>
  <li>Tornado</li>
  <li>Whoosh</li>
  <li>Redis</li>
  <li>Python-dateutil</li>
  <li>Passlib</li>
  <li><a href="https://github.com/marianoguerra/feedformatter/archive/master.zip">Feedformatter</a></li>
  <li>irc</li>
  <li>sleekxmpp</li>
  <li>Werkzeug</li>
  <li>Jinja2</li>
  <li>itsdangerous</li>
  <li>click</li>
  <li>ijson</li>
  <li>tqdm</li>
</ul>
</p>
<h2>Setting up CVE-Search</h2>
<p>
  Before setting up CVE-Search, you have to make sure the scripts are present on your system. Your best choice is to use <span class="code">git</span>
  to clone CVE-Search from its github repository:
  <br />
  <span class="code">git clone https://github.com/cve-search/cve-search.git</span>
  <br />
  Alternatively, you can download the project zip file and extracting it from <a href="https://github.com/cve-search/cve-search/archive/master.zip">the offical CVE-Search Project, based of Wim Remes work</a>
  <br />
  The initial setup of CVE-Search happens only once, at the installation. This consists of two steps and one optional step.
  <ol>
    <li>Populating the database</li>
    <li>*Optional* You can also run the "Other <abbr title="Common Vulnerability Enumeration">CVE</abbr> Dictionary" script to help fill in the blanks
    </li>
    <li>Updating the database</li>
  </ol>
</p>
<h3>Populating the database</h3>
<p>
  For the initial run, you need to populate the CVE database by running:
  <ol>
    <li><span class="code">./sbin/db_mgmt_cpe_dictionary.py -p</span></li>
    <li><span class="code">./sbin/db_mgmt_json.py -p</span></li>
    <li><span class="code">./sbin/db_updater.py -c</span> (This will take >45minutes on a decent machine, please be patient)</li>
  </ol>

  It will fetch all the existing JSON files from the Common Vulnerabilities
  and Exposures feed and the Common Platform Enumeration. The initial
  Common Platform Enumeration (CPE) import might take some time depending
  of your configuration.

  If you want to add the cross-references from NIST, Red Hat and other vendors thanks to <a href="https://github.com/cve-search/VIA4CVE">VIA4CVE</a>:
  <ol>
    <span class="code">./sbin/db_mgmt_ref.py</span>
  </ol>

  NB: If you want to  import your own JSON from VIA4CVE, you have to replace URL in sources.ini the VIA4 attribute with `file:///PATH/TO/VIA4CVE/VIA4CVE-feed.json`.

</p>
<h4>Creating the <abbr title="Common Platform Enumeration">CPE</abbr> collection</h4>
<p>
  This script (<span class="code">./sbin/db_mgmt_cpe_dictionary.py -p</span>) fills the database with the product information. This information one of the key features of cve-search, as this allows you to search for vulnerabilities for specific systems, and allows you to see to what systems a <abbr title="Common Vulnerability and Exposure">CVE</abbr> applies.
  It also allows for a user-friendly, readable format for the CPE. This script will translate <abbr title="Common Vulnerability Enumeration">CVE</abbr> formats like <span class="example">cpe:/a:adobe:flash_player:14.0.0.125</span> to readable formats like <span class="example">Adobe Flash Player 14.0.0.125 APSB14-16</span> where possible.<br />
  <br />
  To run this script, either type <span class="code">./db_mgmt_cpe_dictionary.py</span> or <span class="code">python3 db_mgmt_cpe_dictionary.py</span>.<br />
  <br />
  This script uses the <abbr title="Common Vulnerability Enumeration">CVE</abbr> dictionary from NIST's NVD. As there are a lot of products, they can not make a title for each <abbr title="Common Vulnerability Enumeration">CVE</abbr> manually. That's why CVE-Search has another script, called <span class="code">db_mgmt_cpe_other_dictionary.py</span>.
  This script takes the <abbr title="Common Vulnerability Enumeration">CVEs</abbr> that have no title, and splits them into a human readable format. <br />
  <br />
  To add this dictionary, type <span class="code">python3 db_mgmt_cpe_other_dictionary.py</span> and hit enter.<br />
  <b>NOTE:</b> It is possible this script will crash, due to the large amount of information. If this happens, first run <span class="code">python3 db_mgmt_create_index.py</span>
</p>
<h4>Creating the <abbr title="Common Vulnerability Enumeration">CVE</abbr> collection</h4>
<p>
  Populating the CVE collection (<span class="code">./sbin/db_mgmt_json.py -p</span>) might take a while when you first run the script. Before you run this script, there are two important parameters you need to set in your configuration.ini file.
  These settings can be found under the <span class="highlight">[CVE]</span> section. These settings are:
<table>
  <thead>
  <tr><td>Setting</td> <td>Default setting</td> <td>Explanation</td></tr>
  </thead>
  <tr><td>StartYear</td> <td>2002</td> <td>The start year of <abbr title="Common Vulnerability and Exposure">CVE's</abbr> you want in your database. The lowest setting is <span class="code">2002</span>, the highest is the current year.</td></tr>
</table>
<br />
Once you checked these settings, verify that the settings in the <span class="highlight">[Mongo]</span> section are the connection settings for your database.
If you installed the database with the default settings, these settings should be fine. The table below explains these settings a bit more:
<table>
  <thead>
  <tr><td>Setting</td> <td>Default setting</td> <td>Explanation</td></tr>
  </thead>
  <tr><td>Host</td> <td>localhost</td> <td>The host the Mongo database server is running on</td></tr>
  <tr><td>Port</td> <td>27017</td> <td>The port that Mongo uses on the host specified above</td></tr>
  <tr><td>DB</td> <td>cvedb</td> <td>The database CVE-Search will save its information to. Changing this is a good way to do some testing, without having to restore the entire database afterwards</td></tr>
</table>
<br />
Once you checked these settings, you can run the script by either typing <span class="code">./db_mgmt_json.py -p</span> or <span class="code">python3 db_mgmt_json.py -p</span>. You will see the message "Database population started".
If you want more output of what the script does, while it's running, you can add the parameter <span class="code">-v</span> to any of these commands.
</p>
<h3 id="update">Updating the database</h3>
<p>
  Before updating the database, you have to decide if you will use the web interface of CVE-Search. This interface uses Redis Cache to speed up <abbr title="Common Vulnerability Enumeration">CVE</abbr> browsing.
  If you will be using this feature, make sure your configuration.ini file has the correct settings, and points to your Redis server. The table below explains the several settings.
<table>
  <thead>
  <tr><td>Setting</td> <td>Default setting</td> <td>Explanation</td></tr>
  </thead>
  <tr><td>Host</td> <td>localhost</td> <td>The host the Redis database server is running on</td></tr>
  <tr><td>Port</td> <td>6379</td> <td>The port that Redis uses on the host specified above</td></tr>
  <tr><td>VendorsDB</td> <td>10</td> <td>The Redis database to store vendor information</td></tr>
  <tr><td>NotificationsDB</td> <td>11</td> <td>The Redis database to store notifications</td></tr>
</table>
<br />
Finally, update the database by typing <span class="code">python3 db_updater.py</span> or <span class="code">python3 db_updater.py</span> and hit enter.
If you are planning on using the web interface, it is recommended to add parameter <span class="code">-c</span><br />
If you are planning on using the fulltext indexer, it is recommended to add parameter <span class="code">-i</span><br />
To add verbose output, add parameter <span class="code">-v</span><br />
To let the script run automatically at a regular interval, add parameter <span class="code">-l</span><br />
<b>NOTE:</b> The updating script may warn you that the plug-in file is missing. This can be resolved by creating `./etc/plugins.txt`. However, if the file is missing, the update still works. <br />
</p>
<h3>Fulltext Search</h3>
<p>
  If you want to enable fulltext search, you have to enable this in the database. <br />
  To do this, log into the Mongo database (<span class="code">$ mongo</span>) and run the following command: <span class="code">db.adminCommand({"setParameter": 1, "textSearchEnabled":true})</span>. <br />
  <b>Note:</b> when the Mongo database is shut down, fulltext search will be disabled again. Simply run the same command again to activate it.
</p>
<h2>Final notes</h2>
<p>
  After this procedure the database is initialized and up to date. From this point on, to update the database, you only have to repeat the procedure to <a href="#update">update the database</a>.<br />
  <br />
  If you decided not to the optional step, you can still initialize this later on.
</p>
</body>
</html>
